Parsing the xml deployment descriptor to get security role information
actually sounds like a pretty decent idea. It sure beats hardcoding the
information in an EJB and having to keep the two in sync. I'd be very
interested in any progress you make in this area.
Hopefully querying an EJB for this type of information will become part of
the 2.0 spec so we don't have to resort to such madness such a common
problem.
Jeff Bailey ([EMAIL PROTECTED])
Sr. Software Engineer
NetGenics, Inc.
-----Original Message-----
From: Rickard �berg [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 27, 1999 7:12 AM
To: [EMAIL PROTECTED]
Subject: Re: Q: EJB security rolse & User Interface
Hey
Here's a wild one :-)
> David Gasul wrote:
> I'm noit claiming that the implementation of security should be
> REMOVED from the EJB level.
> I think though, that the EJB container should provide the means for
> introspection of security
> so that clients can implement the right UI. This capability seems to
> be missing from EJB, or is it?
I think this makes a lot of sense, especially from a HCI
(HumanComputerInteraction) perspective.
While I don't think this functionality should be added to the EJB spec.,
here's a possible solution:
Make an interface AccessibleEJB (or whatever, can't find a good name
right now):
public interface AccessibleEJB
{
public Enumeration getAllowedPrincipals()
throws RemoteException;
}
Have the remote interface of your EJB that you want to protect extend
this interface.
In your bean, implement this by returning the principals that are
allowed to access the bean. This result could be based on the particular
instance, or it could be the "static" security information from the
EJB-XML file.
In case you want to access the EJB-XML, how do you do that? Well, I
haven't tested this but it could work:
Get an inputstream to the EJB-XML document in your JAR by doing
getClass().getResourceAsInputStream("/META-INF/ejb-jar.xml"). Parse the
XML by using some XML parser into a Document. Now you have two choices:
either traverse and find the info manually by using the DOM API, or
translate the XML document into a JavaBeans structure which represents
the XML doc. As it happens I have a set of JavaBeans that does just that
8-) Strange, eh. Contact me if you're interested in the source/classes.
After that it is simple to get the roles and return them.
As I said, a rather "out there" solution, but I think it could work on
most (all?) EJB implementations. And it would solve the problem rather
nicely.
Comments..?
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
Homepage: http://www-und.ida.liu.se/~ricob684
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
